PCI DSS 4.0: What financial service providers need to know about new regulatory requirements

For financial service providers, enabling convenient and seamless payment while keeping sensitive customer information safe is paramount. In 2006, a group of providers founded the Payment Card Industry Security Standards Council, a global forum meant to develop and maintain guidelines and standards to secure payments and cardholder data. The council's Payment Card Industry Data Security Standard (PCI DSS) collects these guidelines and serves as an important reference for financial service organizations looking to comply with PCI DSS amid a rising tide of cyberthreats.

In March 2024, the version 4.0 of the PCI DSS, went into effect. While some 4.0 requirements were effective immediately, the majority won't be enforceable until March 31^st, 2025. This means that, for financial service companies who still need clarity on the requirements and how to achieve them, precious months remain to strengthen and modernize their security infrastructure.

This blog aims to answer the biggest questions surrounding PCI DSS 4.0, including:

• What are the goals of this update?
• How do the updated requirements impact authentication?
• How can a modern Identity solution like Okta help support the Identity-related requirements contained in PCI DSS?

What are the goals of PCI DSS 4.0?

PCI DSS 4.0 was developed to further the PCI Security Standards Council's stated goal of keeping sensitive consumer information safe within the context of using payment cards in digital environments. While previous versions of the PCI DSS were full of rigorous standards and rules for payment security, the dramatic shift toward ecommerce during and after COVID-19 exposed lingering vulnerabilities that needed to be addressed, especially in an environment characterized by rising cyberattacks.

The goals of PCI DSS 4.0 fall into four broad categories.

GOALS OF PCI DSS 4.0
Meet the payments industry's security needs	Promote security as a continuous process	Increase flexibility for different methods of achieving security	Enhance validation methods and procedures
The threat landscape has changed dramatically over the past few years, which means the PCI DSS needs to adapt using new and/or expanded requirements concerning multi-factor authentication (MFA), passwords, e-commerce, and phishing resistance.	Effective security is not a one-and-done task; it's an ongoing practice. PCI DSS aims to address this through detailed requirements (each with clearly assigned roles and responsibilities) and robust guidance around implementation.	Allowing different paths toward stronger security drives innovation and widespread adoption. PCI DSS aims to support these goals through targeted risk analyses, customized approaches, and additional options for meeting security objectives through innovative methods.	Clear validation and reporting options ensure transparency and granular accuracy from financial service providers. PCI DSS aims to increase alignment between organizations' security infrastructure and the complete picture of that infrastructure held by regulatory authorities.

How have authentication requirements been updated?

One area of meaningful change within the PCI DSS 4.0 concerns authentication -- ensuring that a given user is who they say they are and permitting access to sensitive materials accordingly. This is a high-level summary of the key authentication-related changes contained within the updated PCI DSS 4.0.

1. MFA is now a requirement for internal and external networks.
2. The minimum length of passwords is now 12 (compared to the previous minimum of 7.)
3. In the absence of MFA capabilities, passwords must now be updated every 90 days to mitigate the threat of credential theft.
4. Shared and generic accounts are now permitted for organizations that have implemented privileged access management.

A closer look: Requirement 8 and MFA

PCI DSS 4.0 contains 13 sweeping requirements, one of which focuses exclusively on Identity. Requirement No. 8 compels organizations to assign a unique Identity to each "person with access," ensuring that actions relating to critical data and systems are performed by, and can be traced to, known and authorized users.

Unless otherwise stated, these requirements apply to all accounts, including point-of-sale, administrative, and all accounts used to view or access payment account data. These requirements do not apply to accounts used by consumers (cardholders).

Okta supports compliance with every aspect of Requirement 8. In fact, for each subsection, Okta has at least one capability that supports stronger and more secure authentication.

Subsection	Requirement	Okta capabilities and benefits
8.1	Processes and mechanisms for identifying users and authenticating access to system components are defined and understood.	Okta Identity Governance provides a unified solution that improves an organization's security posture while improving access governance - helping ensure that the right users can access the right resources at the right time. Many companies don't have transparency as it relates to Identity and access sprawl in their organization. That makes it difficult for security teams to verify if controls are implemented properly because they lack deep visibility and risk analysis in the complex Cloud and SaaS environments. This is why Okta has introduced Okta Identity Security Posture Management.
8.2	User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.	Okta Lifecycle Management automates user provisioning/deprovisioning across applications and cloud directories to manage user Identity and access in a central location.
8.3	Strong authentication for users and administrators is established and managed.	Adaptive MFA uses strong authentication to protect access to resources with two or more high-assurance auth factors, including phishing-resistant factors, enabling organizations to flexibly enforce their authentication policies to meet their needs and requirements.
8.4	MFA is implemented to secure access to the cardholder data environment (CDE).
8.5	MFA systems are configured to prevent misuse.
8.6	Use of application and system accounts and associated authentication factors is strictly managed.

Capability spotlight: Okta Privileged Access Management

To support the dual goals of strengthening security and allowing more flexible methods to achieve that strength, PCI DSS 4.0 permits organizations to build shared group and generic accounts if and only ifthey've implemented Privileged Access Management.

Okta Privileged Access allows security admins to control exclusive access to privileged resources like servers. It also enables you to limit the use of shared accounts, provide elevated access for a specific timeframe, and use ephemeral certificates instead of user IDs and passwords. In addition, you can extend MFA as part of the policy to access these resources. This layer of Identity-based security makes it possible to determine individual accountability within shared privileged accounts, which supports enhanced security for those privileged resources.

Capability spotlight:Okta Identity Security Posture Management

The Identity and access sprawl has become an expansive, unmanaged attack surface rife with partially offboarded users, over-provisioned identities, and unused and risky permissions.

This precarious reality exposes organizations to malicious access via phishing as well as stolen credentials and account takeovers, draining the time and resources of security teams charged with protecting them.

Our solution is a single, streamlined offering that automates Identity visibility, management, and remediation. This delivers a "one-stop shop" for identifying and prioritizing Identity risk. In addition, the product's unparalleled contextualization capabilities link all user accounts to their required privileges, activities, and stages in the employee lifecycle to mitigate threats and help ensure compliance. This includes identifying accounts that have elevated access and those that have no MFA configured.

Okta: your secret weapon for keeping up with regulatory changes

Financial services providers have until March 31^st, 2025, to meet the above requirements, which means there's not much time remaining to advance the maturity of their security infrastructure across the board. Okta's solutions can play a critical role in this advancement, securing and modernizing your Identity function to meet industry standards and keep customer information safe.

If you're looking for guidance on how to improve your Identity maturity, reach out to our teamfor an assessment.

Disclaimer: These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.

Public link

Please use the above public link if you want to share this noodl on another website.